Convenience store operator Wawa has agreed to pay six states and the District of Columbia more than $8 million to settle a 2019 data breach that impacted 34 million payment cards that were used at the Mid-Atlantic c-store leader’s stores in New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and DC. The settlement was announced late last month by the attorneys general in the jurisdictions where the breach occurred.
Between April and December 2019, hackers deployed malware to access sensitive customer data from Wawa’s security system. The jurisdictions involved charged that the Wawa, PA-based retailer failed to utilize reasonable security measures that would have prevented the hacker’s breach.
Cardholder names, credit card numbers and expiration dates were exposed. However, it was determined that debit card information, personal identification numbers (PINs), credit card CVV numbers and driver’s license data were not impacted. Approximately 850 Wawa locations and more than 30 million sets of payment records were affected, and Wawa acknowledged that by late April 2019 malware was present on most of its convenience store payment systems.
Last month’s settlement is the third-largest over a credit card breach, behind Target’s $18.5 million settlement with 47 states in 2017 and Home Depot’s $17.5 million settlement with 46 states in 2020. The money received will be used to cover litigation fees and to support states’ consumer protection law enforcement efforts.
Pennsylvania and New Jersey will receive the largest settlements (approximately $2.5 million each) followed by Florida (approximately $1.1 million), Virginia (approximately $682,000), Maryland (approximately $483,000), Delaware (approximately $450,000) and Washington, DC (approximately $16,000).
“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” said New Jersey acting attorney general, Matthew Platkin. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation. This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”
“Today’s settlement will help protect Pennsylvanians’ personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch. Thanks to this work Wawa will adopt new corporate policies to deter data breaches in the future,” said Jose Shapiro, Pennsylvania attorney general.
A short time after the breach was announced, a class-action lawsuit was filed that has since been resolved. In that settlement, customers were to receive $9 million (mostly in gift cards) and Wawa agreed to invest $35 million to upgrade its cybersecurity. An additional $3.2 million was ultimately added to that total to cover legal fees and expenses.
As part of Wawa’s agreement with the attorneys general in the six states and DC where it operates stores, the retailer will now be required to maintain a comprehensive information security program designed to protect consumers’ sensitive personal information; offer resources necessary to fully implement the company’s information security program; provide appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program; employ specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and follow the protocol of previous state data breach settlements, and undergo a post settlement information security assessment that, in part, will evaluate its implementation of the agreed upon information security program.